Cybersecurity

New York City wants vendor investigated after apparent hack affecting 820,000 students

Student records going back to 2016 were affected in the breach of a vendor that provides grading and attendance software.

By Benjamin Freed

March 29, 2022

New York Mayor Eric Adams attends an event to raise the Ukrainian flag in support of the people at the Bowling Park in the heart of financial district on March 23. (Jimin Kim / VIEWpress / Getty Images)

New York Mayor Eric Adams and other city officials are demanding an investigation of a software vendor used by the city’s Department of Education, following the disclosure of a January breach that potentially revealed personal data of 820,000 current and former students.

The vendor, Illuminate Education, which provides grading and attendance-records software to New York City public schools, told StateScoop in a written statement that it recently closed an investigation into the January incident, finding that “some personal information” was exposed by unauthorized access into its systems.

“We recently completed the investigation regarding unauthorized access of our systems and determined that some personal information was involved,” the statement read. “We are in the process of notifying customers that may have been affected. There is no evidence of any fraudulent or illegal activity related to this incident. The security of the data we have in our care is one of our highest priorities, and we have already taken important steps to help prevent this from happening again.”

The January breach resulted in New York City schools’ grading and attendance systems going down for several weeks, to the consternation of teachers, parents and students. According to the New York Daily News, which first reported Illuminate Education’s acknowledgment of the incident, the hack exposed the names, dates of birth, ethnicities, primary languages and ID numbers of students going back to the 2016-17 academic year.

Illuminate Education said the company does not store financial information or Social Security numbers.

Still, the 820,000 students potentially affected could constitute the largest single breach of K-12 student data, Doug Levin of K-12 Security Information Exchange told the Daily News.

Levin’s organization has tracked thousands of cybersecurity incidents affecting K-12 schools dating back to 2016, finding that many of them originate with software vendors.

City officials did not respond to StateScoop’s request for comment. But in statements released to The Record and other outlets, Adams blasted the two-month gap between the January software outages and Illuminate Education’s acknowledgment last week.

“The formal notification of a breach of students’ data by Illuminate after two months shows the company has been more concerned with protecting itself than protecting our students,” Adams said.

In addition to turning the matter over to the New York State Education Department’s privacy officer, Adams and New York City Schools Chancellor David Banks have asked the New York Police Department, state Attorney General Letitia James and the FBI to investigate the incident.

Adams last month joined New York Gov. Kathy Hochul and other state officials in opening a joint cybersecurity operations center in Brooklyn, saying at the time that he was told upon taking office that his “real crisis is going to be cybersecurity.”